Return User Groups in Radius Response

dgo · June 13, 2019, 8:11am

Hi,
at the moment we are using privacyIDEA for SSH Key Management, for 2FA (VPN provieded by Watchguard Firewall) we have a Vasco Identikey Server. Now I’m checking if the Vasco server can replaced by privacyIDEA.The Watchguard appliance use radius for authentification.

The radius authentification with privacyIDEA is working without any problems. The problem is, that I need all groups of the user on the Watchguard Appliance. This is possible with the radius attribute “Filter-ID”, see: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/ssl/mvpn_ssl_ext_auth_server_config.html

So, the privacyIDEA “LDAP Resolver” syncs all groups of a user with the configuration “Attribute mit mehreren Werten”: [“group”]
The file /etc/privacyidea/rlm_perl.ini looks like this:

[Attribute Filter-Id]
dir = user
userAttribute = group
regex = cn=(.*),ou=Groups,dc=mycompany,dc=de
prefix =
suffix =

Now the response contains the Filter-ID attribute, but only last group of the user, not all. The repsonse looks like:

rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=118, length=210
    Filter-Id = "SSLVPN-Extern"
    ...
    Reply-Message = "privacyIDEA access granted"

The response from the vasco server looks like:

rad_recv: Access-Accept packet from host xxx port 1812, id=206, length=68
    Filter-Id = "SSLVPN-Intern"
    Filter-Id = "SSLVPN-Extern"
    ...

It’s possible to receive all user groups in the privacyIDEA radius response?

Many thanks.

cornelinux · June 13, 2019, 7:17pm

It depends on your mapping in the ldap resolver definition.
Add a "group": "memberOf".

Note, that internal groups like “domain users” are not returned.

You also need a policy scope=authz, action=add_user_in_response.

Before doing anything else in RADIUS, you should check the authentication request response, if the components are contained.

But I gues you know this, that you should take one step after the other in a more complex chain.

dgo · June 14, 2019, 11:16am

Hi,
thanks for the quick response.

The resolver definition contains the "group":" member of" entry and the policy exists, too.

I checked this with a post request to https://myprivacy-idea/validate/check and I’m getting all groups of the user in the user details. So I think this is all ok.

I’m not a perl developer, but I take a look at the privacyidea_radius.pm file. There is a section

if (ref($attributevalue) eq "ARRAY") {
    &radiusd::radlog(Info, "+++++++ User attribute is a list: $attributevalue");
    @values = @$attributevalue;
 }
 foreach my $value (@values) {
       &radiusd::radlog(Info, "+++++++ trying to match $value");
       if ($value =~ /$regex/) {
           my $result = $1;
           $radReply{$radiusAttribute} = "$prefix$result$suffix";
           &radiusd::radlog(Info, "++++++++ Result: Add RADIUS attribute $radiusAttribute = $result");
      } else {
           &radiusd::radlog(Info, "++++++++ Result: No match, no RADIUS attribute $radiusAttribute added.");
      }
}

It seems the $radReply variable is a map and only the last entry in the array is saved to the map. So at the end there is only one “Filter-ID” entry in the radius response, correct?

cornelinux · June 14, 2019, 9:19pm

How does your radius response look like?

I think the response could contain several occurrances of the same key, just like your example with the Vasco server and the intern and extern VPN.
Actually, what do you need in the Firewall.
You can also set a distrinct filter-id based on some regexp in your privacyidea response attributes.

I had a cool video explaining all this. Never published it since the image was too choppy.
Maybe I should nevertheless…

cornelinux · June 14, 2019, 9:43pm

I think you are right, that the regexp filter only fills one entry of Filter-Id.

Howwever, you can drop the section [Attribute Filter-Id] and instead configure this section:

[Mapping user]
group = Filter-Id

This will add several filter IDs with the names of the groups in the radius response.

% echo "User-Name=hans, User-Password=test" | radclient -x -s localhost auth testing123
Sent Access-Request Id 192 from 0.0.0.0:34601 to 127.0.0.1:1812 length 44
	User-Name = "hans"
	User-Password = "test"
	Cleartext-Password = "test"
Received Access-Accept Id 192 from 127.0.0.1:1812 to 0.0.0.0:0 length 152
	Filter-Id = "CN=privacyidea-users,CN=Users,DC=testfoo,DC=intranet"
	Filter-Id = "CN=Domain Admins,CN=Users,DC=testfoo,DC=intranet"
	Reply-Message = "privacyIDEA access granted"
Packet summary:
	Accepted      : 1
	Rejected      : 0
	Lost          : 0
	Passed filter : 1
	Failed filter : 0